[keycloak-user] Keycloak behind Apache with SSL - read certificate from body

Aikeaguinea aikeaguinea at xsmail.com
Sat Jul 9 13:48:02 EDT 2016 

If you don't have requirements that your certificate authenticator be
proprietary, might I suggest that you open-source it? I think this kind
of authentication may not be an uncommon use case, particularly with the
Internet of Things beginning to take off.
 
 
On Thu, Jul 7, 2016, at 10:53 AM, Filipe Lautert wrote:
> Hello
>
> short story: is there a way to get the request body sent from the
> client inside an Authenticator (my class implements Authenticator ,
> unsing method @Override authenticate(context)) ? I'm trying with
> context.getHttpRequest().getInputStream() but it is empty.
>
> Full story:
> I'm trying to build a Keycloak authenticator that reads a client
> certificate and uses it to validate the user, using as a base the
> SecretQuestionAuthenticator example . The client certificate is a hard
> token that is read by Firefox. To handle the certificate read part I'm
> usng Apache mod ssl, with the below relevant configuration:
>
> SSLEngine on
> SSLProxyEngine on
>                 <LocationMatch "/auth">
>                         ProxyPass ajp://localhost:8010/auth
>                         ProxyPassReverse ajp://localhost:8010/auth
>                 </LocationMatch>
> SSLOptions +StdEnvVars +ExportCertData
> ... etc
>
> Looking at a tcpdump/wireshark on port 8010, I can see that the client
> certificate is sent on the request body to Keycloak.
>
> So far fine, Apache validates the certificate, extracts it and send to
> Keycloak. The problem is that I'm unable to read the request body
> inside my authenticator class as
> context.getHttpRequest().getInputStream() is empty, and as the body is
> the raw certificate the method
> context.getHttpRequest().getFormParameters() method won't return me
> anything.
>
> public class SecretQuestionAuthenticator implements Authenticator {
> @Override
> public void authenticate(AuthenticationFlowContext context) {
> System.out.println(context.getHttpRequest().getInputStream().availabl-
> e()); // prints 0 System.out.println(getStringFromInputStream(context-
> .getHttpRequest().getInputStream())); //empty :(
>
>
>
> Any ideas of how I can get it to work?
>
> Thanks
>
> filipe
> --
> filipe lautert
> _________________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
 
--
  Aikeaguinea
  aikeaguinea at xsmail.com
 
 

-- 
http://www.fastmail.com - Does exactly what it says on the tin

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160709/a9859f3d/attachment.html

More information about the keycloak-user mailing list